GDPR the CISO and a positive mind-set
May 21, 2018
For the vast majority of organisations, the GDPR process has been overseen by the legal team – no wonder when you consider the risk of non-compliance. But when it comes to implementation and on-going management, the onus will fall to a huge number of division leaders and you cannot underrate the role of the chief information security officer (CISO).
No one person is or can be responsible for GDPR; ultimately accountability is across the organisation. After all, GDPR is about transparency and clarity on the customer and employee data that you hold within your organisation. It’s about making sure that data isn’t being used incorrectly or at risk. No mean feat when you consider the rate is data is generated, used and decisions are made across most teams within businesses,
Within this complex accountability model, the CISO brings the piece of the picture to the table that is at the core of their role – security and protection against threats. Managing the risks to reduce the likelihood that the data, which is defined within the GDPR regulation, that would be exposed to a data breach. The CISO’s responsibility is always about protecting the organisation from breach or malicious activity and managing that risk.
EU GDPR can be seen as either a burden or an opportunity for security teams. As a burden or nasty compliance thing you have to do, the danger is that you end up with a clunky compliance driven solution, which can be a hassle. However, if you view this as an opportunity to drive best practice you can end up with the EU GDPR becoming a catalyst to evolve security to a higher standard, making the organisation focused on improving security. This then becomes a great opportunity for the CISO.
The way we view it is that ultimately EU GDPR is only one piece of the compliance landscape. And as such, CISO’s commitment should be on solving for best practice, which has four key principles:
- Choosing risk-based cyber security strategies that safeguard the organisation and all data including customer and employee data
- Being proactive and being able to demonstrate and answer to any regulator that you are fireproofing not fire fighting
- Being a trusted advisor to boards, c-suites and employees on how to best manage and protect data within the business
- Using insight to make informed intelligent risk-based security decisions to constantly be improving your risk posture
Like it or not – the clock to GDPR is ticking – and unlike YK2, the work doesn’t stop at the deadline. On-going compliance will be much easier and positive for the CISO and whole company if its viewed as an opportunity it is, rather than a burden.